dwm.exe calling out to the internet

dwm.exe is attempting to access the internet. Is this acceptable?

Would be nice if the firewall would display the hash of the file or program making the request.

 

If your dwm.exe = Desktop Window Manager then i'd say no. Right click on it's properties, and also upload it to VT etc.

If you choose the classic look it shouldn't be running.

 

What O/S are you running, Vista or Win7? To where is it trying to connect? Do you see a remote port, ip address?

 

Vista SP2
It's trying to connect out on a multicast address; 224.0.0.22 igmp
I'll have to check the block log for any other info.

Are there any malwares with that behaviour, where they use multicast?

Edit: Maybe I should disable Toredo?

Malware Forensics: Investigating and Analyzing Malware Code - Google Books

 

I doubt it's anything to worry about as long as it's the legitimate MS process. You could try blocking it and if you see no adverse effects, you could leave it blocked.

 

I think it is a mistake to think that because it's an MS file name the behavior is OK.

What is the Desktop Window Manger?
MSDN @ Microsoft.com

RDP replicates the functionality of DWM across a network boundary.

Will disabling RDP be enough to stop DWM trying to connect out?
Why is DWM trying to connect out without me initiating an RDP event?

 

Trust no program even your operating system is a nice mantra.

-http://www.indymedia.org.uk/en/2004/10/298702.html

*removes tin foil from the head*/just kidding

Try the suggestion of wat0114.

 

I stated if it's a legitimate MS process it's probably nothing to worry about. That doesn't mean it can't be controlled if you don't like what it's doing, just as I don't completely like what the legit MS process svchost always does, so I control its oubound comms with the firewall. My suggestion is to simply create a rule to block dwm.exe from all outbound comms, and if that doesn't break anything, then you've accomplished what you set out to do
There might be a way to disable it from within the system settings, but I don't know how that's done, at least not yet.

 

It has been blocked since my first post.

Just don't feel comfortable after reading a white paper stating that multicast can be used as a hidden communication network across AP's.

A tinfoil hat offers limited protection so I've tinfoiled the entire room.

 

More info
http://www.dslreports.com/forum/remark,9627471

 

Beck's symptoms are identical to my symptoms and never rejoined the conversation with more research.
Members didn't offer methods of determining what is causing this behavior outside of stating the firewall was inaccurate in pinpointing the culprit and that the packets were being generated at a very low level.

If packets are being generated at the I/O level, what can accomplish this?

 

Have you tried FileMonitor as mentioned in that thread, they claimed you could find out what process is really requesting the connection.

And what about time to live? If it's 1 it can't connect to the internet. You could allow connections to only that IP and then see what happens.